Exposure of Sensitive Information to an Unauthorized Actor in Spring Security

2022-05-1705:17:30

Google

osv.dev

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

53.4%

JSON

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

CPENameOperatorVersion
org.springframework.security:spring-security-coreeq3.0.1.RELEASE
org.springframework.security:spring-security-coreeq2.0.4
org.springframework.security:spring-security-coreeq3.0.2.RELEASE
org.springframework.security:spring-security-coreeq3.1.0.RELEASE
org.springframework.security:spring-security-coreeq2.0.7.RELEASE
org.springframework.security:spring-security-coreeq3.1.1.RELEASE
org.springframework.security:spring-security-coreeq3.0.6.RELEASE
org.springframework.security:spring-security-coreeq2.0.2
org.springframework.security:spring-security-coreeq3.0.5.RELEASE
org.springframework.security:spring-security-coreeq2.0.1

Name	Operator	Version
org.springframework.security:spring-security-core	eq	3.0.1.RELEASE
org.springframework.security:spring-security-core	eq	2.0.4
org.springframework.security:spring-security-core	eq	3.0.2.RELEASE
org.springframework.security:spring-security-core	eq	3.1.0.RELEASE
org.springframework.security:spring-security-core	eq	2.0.7.RELEASE
org.springframework.security:spring-security-core	eq	3.1.1.RELEASE
org.springframework.security:spring-security-core	eq	3.0.6.RELEASE
org.springframework.security:spring-security-core	eq	2.0.2
org.springframework.security:spring-security-core	eq	3.0.5.RELEASE
org.springframework.security:spring-security-core	eq	2.0.1